Thursday, August 6, 2009

Many times I come across clients that think they can do everything. As we all know, no one knows everything, and we must consult subject matter experts (SME's) in order to get things done sometimes. Knowing when you don't know something is one of the most important skills to have. For those of you that enjoy the "motivational posters" as I'll call them that have black backgrounds usually accompanied by a picture with a witty caption, today's blog is for you.

Similar to Fail Blog[1], today's topic is a major fail, but in in information security world. I ran across a patch for some software to address "potential SQL injection"[2]. From the forum post, the "CEO" links to a page[3] with the fix. Here comes the fail(s). Under the section "What is an SQL injection attack", the first sentence reads: "SQL injection is also know as cross-site scripting". Wow, I bet OWASP would be surprised to know that. Secondly the fix[4] simply sets maxQueryLength_ to to 500 and checks for the string literal "DECLARE%20". This was the "patch" to prevent an advanced SQL injection attack in hex that was in the wild. If none of this makes sense to you, that's fine, and do what Mike Randolph should have done, and consult expert assistance. Information security isn't something to take a gamble on, and when in doubt, ask for expert help!